Commit 42aafd8b authored by Ming Lei's avatar Ming Lei Committed by Jens Axboe
Browse files

ublk: don't allow user copy for unprivileged device 



UBLK_F_USER_COPY requires userspace to call write() on ublk char
device for filling request buffer, and unprivileged device can't
be trusted.

So don't allow user copy for unprivileged device.

Cc: stable@vger.kernel.org
Fixes: 1172d5b8 ("ublk: support user copy")
Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20241016134847.2911721-1-ming.lei@redhat.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent e972b08b

drivers/block/ublk_drv.c

+10 −1
Original line number Diff line number Diff line
@@ -2380,10 +2380,19 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) 
	 * TODO: provide forward progress for RECOVERY handler, so that

	 * unprivileged device can benefit from it

	 */

	if (info.flags & UBLK_F_UNPRIVILEGED_DEV)

	if (info.flags & UBLK_F_UNPRIVILEGED_DEV) {

		info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE |

				UBLK_F_USER_RECOVERY);



		/*

		 * For USER_COPY, we depends on userspace to fill request

		 * buffer by pwrite() to ublk char device, which can't be

		 * used for unprivileged device

		 */

		if (info.flags & UBLK_F_USER_COPY)

			return -EINVAL;

	}



	/* the created device is always owned by current user */

	ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);

include/uapi/linux/ublk_cmd.h

+7 −1
Original line number Diff line number Diff line
@@ -175,7 +175,13 @@ 
/* use ioctl encoding for uring command */

#define UBLK_F_CMD_IOCTL_ENCODE	(1UL << 6)



/* Copy between request and user buffer by pread()/pwrite() */

/*

 *  Copy between request and user buffer by pread()/pwrite()

 *

 *  Not available for UBLK_F_UNPRIVILEGED_DEV, otherwise userspace may

 *  deceive us by not filling request buffer, then kernel uninitialized

 *  data may be leaked.

 */

#define UBLK_F_USER_COPY	(1UL << 7)



/*